Heartbleed: Why websites were caught unprepared

Facebook Inc. and Yahoo Inc.'s blogging site Tumblr advised users to change their passwords because of the so-called Heartbleed bug. Canada's tax agency shut its filing website as a precaution, weeks before its April 30 filing deadline.

Websites for Airbnb Inc., the Four Seasons hotel chain and Netflix Inc. were vulnerable for a time, said Wayne Jackson, CEO of Sonatype Inc., which manages open-source software. Airbnb and Netflix said they had updated their software. Four Seasons didn't immediately respond to a request for comment.

"It's easily the worst vulnerability since mass-adoption of the Internet," said Matthew Prince, CEO of CloudFlare Inc., a San Francisco cybersecurity company.

The hole in the Internet was supposed to fixed quietly. Researchers at Google Inc. who found the bug told the team in charge of the code, OpenSSL Project, last week, said Mark Cox, an OpenSSL manager.

OpenSSL then planned to tell trusted website operators how to fix the bug before making it public Wednesday. Some big sites, including Facebook and Akamai Technologies Inc., did get a heads up, people familiar with the research said.

But by Sunday managers feared that news of the security hole had leaked to hackers, and so they disclosed it on Monday. That caught companies from Amazon.com Inc. to Yahoo unprepared.

A Yahoo spokeswoman said the company had "made the appropriate corrections." Amazon Web Services posted a security bulletin detailing what services it had updated.

The episode illustrates the delicate task of managing the Internet's plumbing to keep it safe for banks, social networks and retailers. When companies find flaws, they have to decide how to tell as many people as possible without tipping off hackers.

If the news out too quickly, the "patches" to fix the bug may not be ready, said Christopher Soghoian, a technologist at the American Civil Liberties Union. Move too slowly, and hackers will learn of the weakness.

A Google spokeswoman declined to comment on who was notified early. Codenomicon, whose researchers also helped find the bug, didn't respond to a request for comment.

The Heartbleed bug is problematic because it affected about two-thirds of Internet servers when it was disclosed Monday. Websites where users have to log in increasingly use encryption to make sure users' personal information is unreadable as it traverses the Internet.

The majority, including Internet companies, banks and the federal government, use a free version of this code from OpenSSL, a library of encryption code for websites managed by Mr. Cox and three other European developers.

The bug affected OpenSSL versions released in the past two years. In vulnerable systems, hackers can grab previously encrypted data from a website's server before it is deleted.

Researchers said it is impossible for a website to detect whether or not hackers use the bug to steal data. That means companies can't notify consumers who may have been hacked.

Security teams at Facebook and Akamai, which helps move videos across the Internet, received similar warnings, people familiar with the matter said.

"We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed," said a Facebook spokesman, who declined to elaborate. An Akamai spokesman said the company was contacted by the OpenSSL team in advance.

Google also had patched its systems ahead of time. The search giant told users Wednesday they didn't need to change Google passwords.

The Canada Revenue Agency said that, after learning late Tuesday about the Heartbleed bug, it decided to halt access to its online tools that allow individuals and businesses to make tax filings electronically.

In an update Wednesday, the agency said it was working on a "remedy" to restore online tax-filing services and expected the services to resume sometime this weekend.

Company

Dow Jones Network

Intraday Data provided by FACTSET and subject to terms of use.
Historical and current end-of-day data provided by FACTSET.
All quotes are in local exchange time.
Real-time last sale data for U.S. stock quotes reflect trades reported through Nasdaq only.
Intraday data delayed at least 15 minutes or per exchange requirements.